@lastshotlabs/bunshot 0.0.21 → 0.0.27

package/dist/lib/wsMessages.js

@@ -0,0 +1,330 @@
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+// ---------------------------------------------------------------------------
+// State
+// ---------------------------------------------------------------------------
+const DEFAULT_MAX_COUNT = 100;
+const DEFAULT_TTL_SECONDS = 86_400; // 24 hours
+let _store = "memory";
+let _defaults = { maxCount: DEFAULT_MAX_COUNT, ttlSeconds: DEFAULT_TTL_SECONDS };
+const _roomConfigs = new Map();
+// Memory store
+const _memoryMessages = new Map();
+// SQLite trim counters — tracks inserts since last trim per room.
+// Resets on server restart; rooms may temporarily exceed maxCount by up to trimInterval rows.
+// This is a soft cap by design to avoid a DELETE on every INSERT under high throughput.
+const _sqliteTrimCounters = new Map();
+// ---------------------------------------------------------------------------
+// Configuration
+// ---------------------------------------------------------------------------
+export const setWsMessageStore = (store) => { _store = store; };
+export const setWsMessageDefaults = (defaults) => {
+    _defaults = {
+        maxCount: defaults.maxCount ?? DEFAULT_MAX_COUNT,
+        ttlSeconds: defaults.ttlSeconds ?? DEFAULT_TTL_SECONDS,
+    };
+};
+/** Opt a room into message persistence. */
+export const configureRoom = (room, options) => {
+    if (!options.persist) {
+        _roomConfigs.delete(room);
+        return;
+    }
+    _roomConfigs.set(room, {
+        maxCount: options.maxCount ?? _defaults.maxCount,
+        ttlSeconds: options.ttlSeconds ?? _defaults.ttlSeconds,
+    });
+};
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/**
+ * Persist a message to a room. Returns null if room is not configured for persistence.
+ * On store errors, logs a warning and returns null (non-blocking).
+ */
+export const persistMessage = async (room, data) => {
+    const config = _roomConfigs.get(room);
+    if (!config)
+        return null;
+    const message = {
+        id: crypto.randomUUID(),
+        room,
+        senderId: data.senderId ?? null,
+        payload: data.payload,
+        createdAt: Date.now(),
+    };
+    try {
+        switch (_store) {
+            case "memory":
+                return memoryPersist(message, config);
+            case "redis":
+                return await redisPersist(message, config);
+            case "mongo":
+                return await mongoPersist(message, config);
+            case "sqlite":
+                return sqlitePersist(message, config);
+        }
+    }
+    catch (err) {
+        console.warn(`[wsMessages] failed to persist message to ${room}:`, err);
+        return null;
+    }
+};
+/**
+ * Get message history for a room.
+ * Cursor-based pagination using message `id` as cursor.
+ */
+export const getMessageHistory = async (room, opts) => {
+    const limit = opts?.limit ?? 50;
+    switch (_store) {
+        case "memory":
+            return memoryGetHistory(room, limit, opts?.before, opts?.after);
+        case "redis":
+            return await redisGetHistory(room, limit, opts?.before, opts?.after);
+        case "mongo":
+            return await mongoGetHistory(room, limit, opts?.before, opts?.after);
+        case "sqlite":
+            return sqliteGetHistory(room, limit, opts?.before, opts?.after);
+    }
+};
+/** Reset memory store. Useful for test isolation. */
+export const clearWsMessageMemoryStore = () => {
+    _memoryMessages.clear();
+    _roomConfigs.clear();
+    _sqliteTrimCounters.clear();
+};
+// ---------------------------------------------------------------------------
+// Memory backend
+// ---------------------------------------------------------------------------
+function memoryPersist(msg, config) {
+    if (!_memoryMessages.has(msg.room))
+        _memoryMessages.set(msg.room, []);
+    const msgs = _memoryMessages.get(msg.room);
+    msgs.push(msg);
+    // Trim to maxCount
+    if (msgs.length > config.maxCount) {
+        msgs.splice(0, msgs.length - config.maxCount);
+    }
+    return msg;
+}
+function memoryGetHistory(room, limit, before, after) {
+    const msgs = _memoryMessages.get(room) ?? [];
+    const now = Date.now();
+    const config = _roomConfigs.get(room);
+    const ttlMs = (config?.ttlSeconds ?? _defaults.ttlSeconds) * 1000;
+    // Filter expired
+    let filtered = msgs.filter((m) => now - m.createdAt < ttlMs);
+    if (before) {
+        const cursorIdx = filtered.findIndex((m) => m.id === before);
+        if (cursorIdx > 0)
+            filtered = filtered.slice(0, cursorIdx);
+    }
+    else if (after) {
+        const cursorIdx = filtered.findIndex((m) => m.id === after);
+        if (cursorIdx >= 0)
+            filtered = filtered.slice(cursorIdx + 1);
+    }
+    // Return last N messages (most recent)
+    return filtered.slice(-limit);
+}
+// ---------------------------------------------------------------------------
+// Redis backend
+// ---------------------------------------------------------------------------
+async function redisPersist(msg, config) {
+    const { getRedis } = await import("./redis");
+    const redis = getRedis();
+    const key = `wsmsg:${msg.room}`;
+    const serialized = JSON.stringify(msg);
+    await redis.lpush(key, serialized);
+    await redis.ltrim(key, 0, config.maxCount - 1);
+    await redis.expire(key, config.ttlSeconds);
+    return msg;
+}
+async function redisGetHistory(room, limit, before, after) {
+    const { getRedis } = await import("./redis");
+    const redis = getRedis();
+    const key = `wsmsg:${room}`;
+    // Redis list is newest-first (LPUSH)
+    const raw = await redis.lrange(key, 0, -1);
+    let msgs = raw.map((s) => JSON.parse(s)).reverse(); // oldest-first
+    if (before) {
+        const idx = msgs.findIndex((m) => m.id === before);
+        if (idx > 0)
+            msgs = msgs.slice(0, idx);
+    }
+    else if (after) {
+        const idx = msgs.findIndex((m) => m.id === after);
+        if (idx >= 0)
+            msgs = msgs.slice(idx + 1);
+    }
+    return msgs.slice(-limit);
+}
+// ---------------------------------------------------------------------------
+// MongoDB backend
+// ---------------------------------------------------------------------------
+let _mongoModel = null;
+async function getWsMessageModel() {
+    if (_mongoModel)
+        return _mongoModel;
+    const { authConnection } = await import("./mongo");
+    const { default: mongoose } = await import("mongoose");
+    const schema = new mongoose.Schema({
+        _id: { type: String, default: () => crypto.randomUUID() },
+        room: { type: String, required: true, index: true },
+        senderId: { type: String, default: null },
+        payload: { type: mongoose.Schema.Types.Mixed },
+        createdAt: { type: Number, required: true, index: true },
+    }, { collection: "ws_messages" });
+    schema.index({ room: 1, createdAt: 1, _id: 1 });
+    // TTL index — Mongo's TTL monitor runs ~every 60s, so messages may briefly
+    // outlive their TTL. Acceptable for chat history.
+    schema.index({ createdAt: 1 }, { expireAfterSeconds: DEFAULT_TTL_SECONDS });
+    _mongoModel = authConnection.model("WsMessage", schema);
+    return _mongoModel;
+}
+async function mongoPersist(msg, config) {
+    const Model = await getWsMessageModel();
+    await Model.create({
+        _id: msg.id,
+        room: msg.room,
+        senderId: msg.senderId,
+        payload: msg.payload,
+        createdAt: msg.createdAt,
+    });
+    // Trim to maxCount
+    const count = await Model.countDocuments({ room: msg.room });
+    if (count > config.maxCount) {
+        const oldest = await Model.find({ room: msg.room })
+            .sort({ createdAt: 1, _id: 1 })
+            .limit(count - config.maxCount)
+            .select("_id");
+        if (oldest.length > 0) {
+            await Model.deleteMany({ _id: { $in: oldest.map((d) => d._id) } });
+        }
+    }
+    return msg;
+}
+async function mongoGetHistory(room, limit, before, after) {
+    const Model = await getWsMessageModel();
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const filter = { room };
+    if (before) {
+        const cursor = await Model.findById(before).lean();
+        if (cursor) {
+            filter.$or = [
+                { createdAt: { $lt: cursor.createdAt } },
+                { createdAt: cursor.createdAt, _id: { $lt: before } },
+            ];
+        }
+    }
+    else if (after) {
+        const cursor = await Model.findById(after).lean();
+        if (cursor) {
+            filter.$or = [
+                { createdAt: { $gt: cursor.createdAt } },
+                { createdAt: cursor.createdAt, _id: { $gt: after } },
+            ];
+        }
+    }
+    const docs = await Model.find(filter)
+        .sort({ createdAt: -1, _id: -1 })
+        .limit(limit)
+        .lean();
+    return docs.reverse().map((d) => ({
+        id: d._id,
+        room: d.room,
+        senderId: d.senderId,
+        payload: d.payload,
+        createdAt: d.createdAt,
+    }));
+}
+// ---------------------------------------------------------------------------
+// SQLite backend
+// ---------------------------------------------------------------------------
+function getSqliteDb() {
+    // Re-use the sqlite DB set via setSqliteDb
+    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    const { getSqliteDatabase } = require("../adapters/sqliteAuth");
+    return getSqliteDatabase();
+}
+let _sqliteInitialized = false;
+function ensureSqliteTable() {
+    if (_sqliteInitialized)
+        return;
+    const db = getSqliteDb();
+    db.run(`
+    CREATE TABLE IF NOT EXISTS ws_messages (
+      id TEXT PRIMARY KEY,
+      room TEXT NOT NULL,
+      sender_id TEXT,
+      payload TEXT,
+      created_at INTEGER NOT NULL
+    )
+  `);
+    db.run(`CREATE INDEX IF NOT EXISTS idx_ws_messages_room_created ON ws_messages (room, created_at, id)`);
+    _sqliteInitialized = true;
+}
+function sqlitePersist(msg, config) {
+    ensureSqliteTable();
+    const db = getSqliteDb();
+    db.run(`INSERT INTO ws_messages (id, room, sender_id, payload, created_at) VALUES (?, ?, ?, ?, ?)`, [msg.id, msg.room, msg.senderId, JSON.stringify(msg.payload), msg.createdAt]);
+    // Modulo-based trimming to avoid DELETE on every INSERT.
+    const counter = (_sqliteTrimCounters.get(msg.room) ?? 0) + 1;
+    const trimInterval = Math.max(10, Math.floor(config.maxCount * 0.1));
+    _sqliteTrimCounters.set(msg.room, counter);
+    if (counter >= trimInterval) {
+        _sqliteTrimCounters.set(msg.room, 0);
+        // Delete oldest beyond maxCount
+        db.run(`DELETE FROM ws_messages WHERE room = ? AND id NOT IN (
+        SELECT id FROM ws_messages WHERE room = ? ORDER BY created_at DESC, id DESC LIMIT ?
+      )`, [msg.room, msg.room, config.maxCount]);
+        // TTL cleanup
+        const ttlMs = config.ttlSeconds * 1000;
+        db.run(`DELETE FROM ws_messages WHERE room = ? AND created_at < ?`, [msg.room, Date.now() - ttlMs]);
+    }
+    return msg;
+}
+function sqliteGetHistory(room, limit, before, after) {
+    ensureSqliteTable();
+    const db = getSqliteDb();
+    let sql;
+    let params;
+    if (before) {
+        sql = `
+      SELECT * FROM ws_messages
+      WHERE room = ? AND (created_at, id) < (
+        (SELECT created_at FROM ws_messages WHERE id = ?),
+        ?
+      )
+      ORDER BY created_at DESC, id DESC LIMIT ?
+    `;
+        params = [room, before, before, limit];
+    }
+    else if (after) {
+        sql = `
+      SELECT * FROM ws_messages
+      WHERE room = ? AND (created_at, id) > (
+        (SELECT created_at FROM ws_messages WHERE id = ?),
+        ?
+      )
+      ORDER BY created_at ASC, id ASC LIMIT ?
+    `;
+        params = [room, after, after, limit];
+    }
+    else {
+        sql = `SELECT * FROM ws_messages WHERE room = ? ORDER BY created_at DESC, id DESC LIMIT ?`;
+        params = [room, limit];
+    }
+    const rows = db.query(sql).all(...params);
+    // Normalize to oldest-first
+    if (!after)
+        rows.reverse();
+    return rows.map((r) => ({
+        id: r.id,
+        room: r.room,
+        senderId: r.sender_id,
+        payload: JSON.parse(r.payload),
+        createdAt: r.created_at,
+    }));
+}

package/dist/lib/wsPresence.d.ts

@@ -0,0 +1,25 @@
+/** Track an authenticated socket. Skips if userId is null/undefined. */
+export declare const trackSocket: (socketId: string, userId: string | null) => void;
+/** Untrack a socket on disconnect. */
+export declare const untrackSocket: (socketId: string) => void;
+/** Called when a socket subscribes to a room. Returns join info or null if unauthenticated. */
+export declare const addPresence: (socketId: string, room: string) => {
+    userId: string;
+    isNewUser: boolean;
+} | null;
+/** Called when a socket unsubscribes from a room. Returns leave info or null if unauthenticated. */
+export declare const removePresence: (socketId: string, room: string) => {
+    userId: string;
+    isLastSocket: boolean;
+} | null;
+/** Called on disconnect — cleans up all rooms for a socket. Returns rooms where user fully departed. */
+export declare const cleanupPresence: (socketId: string, rooms: Set<string>) => Array<{
+    room: string;
+    userId: string;
+}>;
+/** Deduplicated userIds present in a room. */
+export declare const getRoomPresence: (room: string) => string[];
+/** Rooms where a user is present. */
+export declare const getUserPresence: (userId: string) => string[];
+/** Reset all presence state. Useful for test isolation. */
+export declare const clearPresenceStore: () => void;

package/dist/lib/wsPresence.js

@@ -0,0 +1,99 @@
+// ---------------------------------------------------------------------------
+// State (in-memory only)
+// ---------------------------------------------------------------------------
+/** socketId → userId (authenticated sockets only) */
+const _socketUsers = new Map();
+/** room → userId → Set<socketId> (multi-tab aware) */
+const _roomPresence = new Map();
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/** Track an authenticated socket. Skips if userId is null/undefined. */
+export const trackSocket = (socketId, userId) => {
+    if (!userId)
+        return;
+    _socketUsers.set(socketId, userId);
+};
+/** Untrack a socket on disconnect. */
+export const untrackSocket = (socketId) => {
+    _socketUsers.delete(socketId);
+};
+/** Called when a socket subscribes to a room. Returns join info or null if unauthenticated. */
+export const addPresence = (socketId, room) => {
+    const userId = _socketUsers.get(socketId);
+    if (!userId)
+        return null;
+    if (!_roomPresence.has(room))
+        _roomPresence.set(room, new Map());
+    const roomMap = _roomPresence.get(room);
+    const isNewUser = !roomMap.has(userId) || roomMap.get(userId).size === 0;
+    if (!roomMap.has(userId))
+        roomMap.set(userId, new Set());
+    roomMap.get(userId).add(socketId);
+    return { userId, isNewUser };
+};
+/** Called when a socket unsubscribes from a room. Returns leave info or null if unauthenticated. */
+export const removePresence = (socketId, room) => {
+    const userId = _socketUsers.get(socketId);
+    if (!userId)
+        return null;
+    const roomMap = _roomPresence.get(room);
+    if (!roomMap)
+        return null;
+    const sockets = roomMap.get(userId);
+    if (!sockets)
+        return null;
+    sockets.delete(socketId);
+    const isLastSocket = sockets.size === 0;
+    if (isLastSocket) {
+        roomMap.delete(userId);
+        if (roomMap.size === 0)
+            _roomPresence.delete(room);
+    }
+    return { userId, isLastSocket };
+};
+/** Called on disconnect — cleans up all rooms for a socket. Returns rooms where user fully departed. */
+export const cleanupPresence = (socketId, rooms) => {
+    const userId = _socketUsers.get(socketId);
+    if (!userId)
+        return [];
+    const departed = [];
+    for (const room of rooms) {
+        const roomMap = _roomPresence.get(room);
+        if (!roomMap)
+            continue;
+        const sockets = roomMap.get(userId);
+        if (!sockets)
+            continue;
+        sockets.delete(socketId);
+        if (sockets.size === 0) {
+            roomMap.delete(userId);
+            if (roomMap.size === 0)
+                _roomPresence.delete(room);
+            departed.push({ room, userId });
+        }
+    }
+    return departed;
+};
+/** Deduplicated userIds present in a room. */
+export const getRoomPresence = (room) => {
+    const roomMap = _roomPresence.get(room);
+    if (!roomMap)
+        return [];
+    return [...roomMap.keys()];
+};
+/** Rooms where a user is present. */
+export const getUserPresence = (userId) => {
+    const rooms = [];
+    for (const [room, roomMap] of _roomPresence) {
+        const sockets = roomMap.get(userId);
+        if (sockets && sockets.size > 0)
+            rooms.push(room);
+    }
+    return rooms;
+};
+/** Reset all presence state. Useful for test isolation. */
+export const clearPresenceStore = () => {
+    _socketUsers.clear();
+    _roomPresence.clear();
+};

package/dist/middleware/auditLog.d.ts

@@ -0,0 +1,22 @@
+import type { MiddlewareHandler, Context } from "hono";
+import type { AppEnv } from "../lib/context";
+import type { AuditLogEntry, AuditLogOptions } from "../lib/auditLog";
+export interface AuditLogMiddlewareOptions extends AuditLogOptions {
+    exclude?: {
+        /** Skip logging for requests with these HTTP methods (e.g. `["GET", "HEAD"]`). */
+        methods?: string[];
+        /**
+         * Skip logging for requests whose path matches any entry.
+         * Note: if this array grows large, regex evaluation on every request adds up.
+         * For high-traffic exclusions, prefer string matching over regex.
+         */
+        paths?: (string | RegExp)[];
+    };
+    /**
+     * Called after the entry is built, before it is written to storage.
+     * Use to add semantic context: `action`, `resource`, `resourceId`, `meta`, or `expiresAt`.
+     * If this hook throws, the error is logged and the original entry is written as-is.
+     */
+    onEntry?: (entry: AuditLogEntry, c: Context<AppEnv>) => AuditLogEntry | Promise<AuditLogEntry>;
+}
+export declare const auditLog: (options: AuditLogMiddlewareOptions) => MiddlewareHandler<AppEnv>;

package/dist/middleware/auditLog.js

@@ -0,0 +1,39 @@
+import { getClientIp } from "../lib/clientIp";
+import { logAuditEntry } from "../lib/auditLog";
+export const auditLog = (options) => async (c, next) => {
+    await next();
+    // Exclusion checks run after next() intentionally — c.res.status is only available
+    // after the route handler runs. The route still executes; we're only skipping the log write.
+    if (options.exclude?.methods?.includes(c.req.method))
+        return;
+    // Note: if exclude.paths grows large, regex evaluation on every request adds up.
+    // For high-traffic exclusions, prefer string matching over regex.
+    const path = c.req.path;
+    if (options.exclude?.paths?.some(p => typeof p === "string" ? p === path : p.test(path)))
+        return;
+    let entry = {
+        id: crypto.randomUUID(),
+        requestId: c.get("requestId") ?? undefined,
+        userId: c.get("authUserId") ?? null,
+        sessionId: c.get("sessionId") ?? null,
+        tenantId: c.get("tenantId") ?? null,
+        method: c.req.method,
+        path,
+        status: c.res.status,
+        ip: getClientIp(c),
+        userAgent: c.req.header("user-agent") ?? null,
+        createdAt: new Date().toISOString(),
+    };
+    if (options.onEntry) {
+        try {
+            entry = await options.onEntry(entry, c);
+        }
+        catch (err) {
+            console.error("[auditLog] onEntry hook threw:", err);
+        }
+    }
+    // Fire-and-forget — never block the response; logAuditEntry also swallows errors internally
+    logAuditEntry(entry, options).catch(err => {
+        console.error("[auditLog] write failed:", err);
+    });
+};

package/dist/middleware/bearerAuth.js

@@ -1,7 +1,7 @@
 import { timingSafeEqual } from "../lib/crypto";
 export const bearerAuth = async (c, next) => {
     const isProd = process.env.NODE_ENV === "production";
-    const validToken = isProd ? process.env.BEARER_TOKEN_PROD : process.env.BEARER_TOKEN_DEV;
+    const validToken = (isProd ? process.env.BEARER_TOKEN_PROD : process.env.BEARER_TOKEN_DEV) ?? undefined;
     const header = c.req.header("Authorization");
     const token = header?.startsWith("Bearer ") ? header.slice(7) : null;
     if (!token || !validToken || !timingSafeEqual(token, validToken)) {

package/dist/middleware/cacheResponse.js

@@ -104,7 +104,11 @@ async function storeDelPattern(store, fullPattern) {
     if (store === "mongo") {
         if (!isMongoReady())
             return;
-        const regex = new RegExp("^" + fullPattern.replace(/\*/g, ".*") + "$");
+        // Escape all regex metacharacters in the full pattern (including the cache:{appName}: prefix,
+        // which may itself contain dots or other metacharacters). Then restore * as a glob wildcard.
+        // Order matters: escape first, then replace the now-escaped \* with .* for glob semantics.
+        const escaped = fullPattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&");
+        const regex = new RegExp("^" + escaped.replace(/\*/g, ".*") + "$");
         await getCacheModel().deleteMany({ key: regex });
         return;
     }

package/dist/middleware/captcha.d.ts

@@ -0,0 +1,10 @@
+import type { MiddlewareHandler } from "hono";
+import type { AppEnv } from "../lib/context";
+import { type CaptchaConfig } from "../lib/captcha";
+/**
+ * Middleware factory that verifies a CAPTCHA token from the request body.
+ *
+ * @example
+ * router.post("/contact", requireCaptcha({ provider: "turnstile", secretKey: "..." }), handler);
+ */
+export declare const requireCaptcha: (config?: CaptchaConfig) => MiddlewareHandler<AppEnv>;

package/dist/middleware/captcha.js

@@ -0,0 +1,36 @@
+import { verifyCaptcha } from "../lib/captcha";
+import { HttpError } from "../lib/HttpError";
+import { getClientIp } from "../lib/clientIp";
+/**
+ * Middleware factory that verifies a CAPTCHA token from the request body.
+ *
+ * @example
+ * router.post("/contact", requireCaptcha({ provider: "turnstile", secretKey: "..." }), handler);
+ */
+export const requireCaptcha = (config) => async (c, next) => {
+    // Get effective config: param takes precedence, then global config
+    const { getCaptchaConfig } = await import("../lib/appConfig");
+    const effectiveConfig = config ?? getCaptchaConfig();
+    if (!effectiveConfig) {
+        await next();
+        return;
+    }
+    const tokenField = effectiveConfig.tokenField ?? "captcha-token";
+    let body;
+    try {
+        body = await c.req.json();
+    }
+    catch {
+        body = {};
+    }
+    const token = body[tokenField];
+    if (!token) {
+        throw new HttpError(400, "CAPTCHA token is required", "CAPTCHA_MISSING");
+    }
+    const ip = getClientIp(c) ?? undefined;
+    const result = await verifyCaptcha(token, effectiveConfig, ip);
+    if (!result.success) {
+        throw new HttpError(400, "CAPTCHA verification failed", "CAPTCHA_FAILED");
+    }
+    await next();
+};

package/dist/middleware/csrf.js

@@ -4,11 +4,15 @@ import { COOKIE_TOKEN, COOKIE_CSRF_TOKEN, HEADER_CSRF_TOKEN } from "../lib/const
 import { createHmac, randomBytes } from "crypto";
 const isProd = process.env.NODE_ENV === "production";
 const STATE_CHANGING_METHODS = new Set(["POST", "PUT", "PATCH", "DELETE"]);
-function getJwtSecret() {
+let _csrfSecret = null;
+function getCsrfSecret() {
+    if (_csrfSecret)
+        return _csrfSecret;
     const secret = isProd ? process.env.JWT_SECRET_PROD : process.env.JWT_SECRET_DEV;
     if (!secret)
         throw new Error("CSRF middleware requires JWT_SECRET_DEV/JWT_SECRET_PROD to be set");
-    return secret;
+    _csrfSecret = secret;
+    return _csrfSecret;
 }
 function generateCsrfToken(secret) {
     const token = randomBytes(32).toString("hex");
@@ -36,7 +40,7 @@ const csrfCookieOptions = {
  * session fixation-adjacent attacks.
  */
 export function refreshCsrfToken(c) {
-    const secret = getJwtSecret();
+    const secret = getCsrfSecret();
     const token = generateCsrfToken(secret);
     setCookie(c, COOKIE_CSRF_TOKEN, token, csrfCookieOptions);
 }
@@ -53,12 +57,22 @@ export const csrfProtection = (options = {}) => {
     if (allowedOrigins) {
         const origins = Array.isArray(allowedOrigins) ? allowedOrigins : [allowedOrigins];
         for (const o of origins) {
+            // "*" is intentionally excluded: validating against a wildcard would accept any origin,
+            // defeating the check. When CORS is open, origin validation is meaningless.
             if (o !== "*")
                 originSet.add(o.replace(/\/$/, ""));
         }
     }
+    if (checkOrigin && originSet.size === 0) {
+        // Warn in all environments — this is a one-time startup message, not per-request noise,
+        // and a misconfigured production deployment should surface it.
+        console.warn("[bunshot] csrfProtection: checkOrigin is enabled but no specific allowed origins are " +
+            "configured (CORS is \"*\" or allowedOrigins is unset). Origin validation is disabled — " +
+            "only the HMAC double-submit cookie check is active. Set security.cors to specific " +
+            "origins to enable origin validation.");
+    }
     return async (c, next) => {
-        const secret = getJwtSecret();
+        const secret = getCsrfSecret();
         // Set CSRF cookie on every response if not already present
         const existingCsrf = getCookie(c, COOKIE_CSRF_TOKEN);
         if (!existingCsrf) {

package/dist/middleware/errorHandler.js

@@ -6,7 +6,10 @@ export const errorHandler = async (req, next) => {
     catch (err) {
         console.error(err);
         if (err instanceof HttpError) {
-            return Response.json({ error: err.message }, { status: err.status });
+            const body = { error: err.message };
+            if (err.code !== undefined)
+                body.code = err.code;
+            return Response.json(body, { status: err.status });
         }
         return Response.json({ error: "Internal Server Error" }, { status: 500 });
     }